By John A. Wheeler, Senior Director Analyst at Gartner
Integrated risk management (IRM) technology is uniquely suited to address the myriad of risks arising from the current crisis and future COVID-19 recovery. IRM technology product leaders will need to develop IRM capabilities that are capable of addressing the IRM market insights outlined in this blog post.
The shift in the IRM buyers from IT leaders to business leaders is being driven by an increasing need to better understand the tactical view of technology risks in a strategic business context. The pandemic has intensified the need for organizations to rely on digital operations in order to not only remain competitive and grow but also to survive.
Product leaders should consider the following four market trends that will fuel demand for IRM solutions to aid in the COVID-19 business recovery. Each market insight is critical to consider for future product development in addition to market positioning and messaging activities.
- IRM buying center continues shift from IT leaders to business leaders
As more businesses are maturing their risk management practices, the buying center for IRM is shifting. This is primarily driven by an increasing need to better understand the tactical view of technology risks in a strategic business context. In 2019, Gartner saw a 36% increase in IRM client inquiry by business leaders. In addition, 73% of the 760 IRM client interactions in 2019 were business leader focused1.
In particular, as our end-user clients look to digital transformation and innovation to emerge from the pandemic, business leaders such as the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer and Chief Risk Officer will need insight into IRM technology providers. This need for IRM is reflected in our most recent Gartner CEO Survey where CEOs identified risk management as one of their top priorities in 2020 & 2021 (see figure below). In fact, risk management received the highest increase in response (39% more than 2019) from CEOs and senior business leaders.
- The current crisis is operationally-centered
Unlike the 2008-2009 Great Recession that was financially centered in its origin and resolution, the COVID-19 crisis is operationally-centered. This means that the economic impacts from this crisis are driven by a disruption of business operations due to health and safety-related closures. The financial stimulus provided by governments around the globe is merely a bridge to the other side of the crisis – business operations recovery. Once recovery begins, IRM will provide visibility of interconnected risks (i.e. third-party, digital, business continuity, health & safety, legal and ethics & compliance risks) businesses must navigate to succeed.
To effectively manage these risks, business leaders must have an understanding of the linkages between strategic business outcomes, operational processes and technology assets (see figure below). In addition, a growing need for visibility into the risks associated with products and services balanced by the necessary policies and procedures will lead business leaders away from legacy GRC technology. Legacy GRC technology focuses exclusively on policies and procedures in a siloed, departmental view. In the new digital business environment, the more balanced, integrated view of risk will be required for success.
- Risk visibility is needed vertically through the enterprise, not just horizontally
This risk visibility is needed both horizontally across the organization (as seen in most enterprise risk management – ERM programs) and vertically down through the organization (see figure below). A single view of risks at strategic and tactical levels will be needed to re-start business operations as the workforce slowly transitions back to full speed. Too often, boards of directors and senior business leaders will only consider an ERM view of risk without understanding how business operations factor into risk mitigation at the tactical execution layers. A greater understanding of how risk mitigation must be integrated throughout the business is essential for successful recovery efforts.
- Digital transformation is rapidly becoming a “must have” for businesses
Certain digital transformation is now a “must have” not only for future competitiveness and growth, but also for survival. The business world is now relying on digital operations to maintain business continuity in this crisis. This shift will not fade as we recover. It will remain as a new way of conducting business in a cost-optimized, more efficient environment. As such, management of digital risks in an integrated way will become a top priority for businesses.
To this end, business leaders need more risk quantification and analytics to support their digital business decision making. No longer can they rely exclusively on qualitative measures of risk. A balanced view of both quantitative and qualitative risk measures is needed at both the tactical and strategic levels (see figure below). Targeted risk mitigation as part of digital optimization efforts requires a cost/benefit analysis to determine how much risk the organization is willing to tolerate. Strategic risk mitigation as part of a digital transformation initiative requires an ROI/IRR analysis to determine how risks will factor into the profitability of a product or service.
These are trying times for business leaders and their organizations. The only way through this crisis into recovery is to increase our degree of certainty in a highly uncertain world. That is what IRM is designed to help organizations do.